Re: Proposed Statement on "HTTPS everywhere for the IETF"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 01, 2015 at 04:58:07PM -0400, Phillip Hallam-Baker wrote:
> On Mon, Jun 1, 2015 at 4:15 PM, Brian E Carpenter <
> brian.e.carpenter@xxxxxxxxx> wrote:
> 
> > Hi,
> >
> > I think this is reasonable. However, it seems necessary to qualify it
> > by pointing out that users of HTTPS remain exposed to traffic analysis
> > (e.g. see https://arxiv.org/pdf/1403.0297).
> >
> 
> Agreed.
> 
> But I would add a note to say that blocking traffic analysis is something
> that requires link layer encryption. I don't think we can do much to
> prevent that type of attack in IETF but we could stir IEEE to do something
> useful.

Traffic analysis might be happening far from the client, and might be
happening on middle boxes controlled by the attacker.  (Which is not to
say that we shouldn't bother with link-layer encryption in addition to
end-to-end encryption.)

There are many traffic analysis considerations.  For this particular
purpose it should suffice to refer to traffic analysis in general.
Though it might be useful to add recommendations about things like
length masking (since otherwise even just the lengths of packets might
suffice to identify the resources a user is accessing).

Nico
-- 





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]